CWE-1321

オブジェクトのプロトタイプ属性の不適切な変更（「プロトタイプ汚染」）。

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

脆弱性作成中

日本語説明

この製品は、オブジェクトの初期化または更新される属性を指定する入力を上流コンポーネントから受け取りますが、オブジェクト・プロトタイプの属性の変更を適切に制御できません。

原文 (English)

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

関連する脆弱性

想定される影響

Scope: Confidentiality, Integrity, Availability / Impact: Read Application Data; Modify Application Data

Scope: Availability / Impact: DoS: Crash, Exit, or Restart

対策・緩和策

By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.

By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.

When handling untrusted objects, validating using a schema can be used.

By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.

Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.

外部リンク

MITRE公式ページ — CWE-1321